Ireland's Data Protection commissioner has ordered Facebook not to send any more personal data from Europe to the US. The regulator has the authority to fine Facebook up to 4% of its global turnover, should non-compliance be an issue.
The order, described to Independent.ie by people close to the situation as "well progressed", is the result of a European Court decision in July, which struck down the transatlantic 'Privacy Shield' treaty.
It means that the validity of 'standard contractual clauses' (SCCs) used by thousands of Irish and European companies to transfer data, is now closer to being cancelled.
However, the process is only about half over. The order is only preliminary, so far, and Facebook is doing what it can to appeal or subvert the ruling. The NYOB post links to three letters which provide background on the matter between Data Protection Commission and Facebook.
Previously:
(2020) CJEU Issues Judgment on Schrems II Case
(2018) Privacy Expert Schrems Files GDPR Complaints Against Google, Facebook, Instagram and WhatsApp
(2018) ICANN's Pre-Emptive Attack on the GDPR Thrown out by German Court
(2018) Facebook is Trying to Block Schrems II Privacy Referral to EU Top Court
(2015) EU Top Court Rules Safe Harbour Treaty Invalid
Related Stories
The European Court of Justice has just ruled that the Safe Harbour agreement, which is used by American startups to transfer data between the US and Europe, is invalid. As a result, companies such as Facebook and Twitter may now need to host European user data in Europe, rather than hosting it in the US and transferring it over.
This is a brushed up Google translation of nu.nl (http://www.nu.nl/internet/4139196/europees-hof-zet-streep-privacyverdrag-met-vs.html).
In the meantime this news is also coming through in English: http://www.ft.com/fastft/402791/eu-court-deals-blow-amazon-facebook-with-safe-harbour-ruling and http://uk.businessinsider.com/european-court-of-justice-safe-harbor-ruling-2015-10.
The European Court on Tuesday scrapped the so-called Safe Harbour treaty, which regulated the storage of European personal data in the United States.
Under the treaty enabled Internet companies like Facebook are allowed to store the data of Europeans in the US. However, the Court finds that the data in that country are inadequately protected and that therefore the treaty is invalid.
The ruling also made clear that, regardless of the European convention, it should have been possible for national regulators like the Dutch Data Protection Authority to prevent data from being sent to servers in the US. The Court follows with its judgment the recently expressed opinion of Advocate General Yves Bot.
The judgment has been done in a case between the Austrian student Max Schrems and Facebook. Schrems wanted the Irish privacy watchdog to investigate data protection in the United States, but because of the Safe Harbor treaty, the Irish watchdog refused to launch an investigation. Schrems also noted disclosures of whistleblower Edward Snowden in this case. NSA documents from Snowden showed that the intelligence agencies harvest private data from internet users on a large scale. According to Schrems this was a reason to keep European data from being processed in the US.
In the ruling, the Court points to a message from the European Commission to the European Parliament, in which the large-scale collection of private data by the US is named "unacceptable". In view of this communication, the Commission should immediately suspend the treaty.
Facebook is trying to block Schrems II privacy referral to EU top court. In an attempt to get Ireland's Supreme Court to decide about accepting their appeal, their lawyer has asked for the referral to the EU court to be delayed while at the same time asking for an unusal accelerated referral to Ireland's Supreme Court.
Facebook’s lawyers are attempting to block a High Court decision in Ireland, where its international business is headquartered, to refer a long-running legal challenge to the bloc’s top court.
[...] The case relates to a complaint filed by privacy campaigner and lawyer Max Schrems regarding a transfer mechanism that’s currently used by thousands of companies to authorize flows of personal data on EU citizens to the US for processing. Though Schrems was actually challenging the use of so-called Standard Contractual Clauses (SCCs) by Facebook, specifically, when he updated an earlier complaint on the same core data transfer issue — which relates to US government mass surveillance practices, as revealed by the 2013 Snowden disclosures — with Ireland’s data watchdog.
Also at Reuters : Facebook bids to keep data privacy case from EU's top court.
Earlier on SN:
High Court Sets Out 11 Questions for ECJ on EU-US Data Transfers
Austria Resident Max Schrems is Organizing a Privacy-Oriented Class-Action Suit Against Facebook
EU Top Court Rules Safe Harbour Treaty Invalid
The EU's General Data Protection Regulation (GDPR) has only just started to be enforced, but it is already creating some seriously big waves in the online world, as Techdirt has reported. Most of those are playing out in obvious ways, such as Max Schrems's formal GDPR complaints against Google and Facebook over "forced consent" (pdf). That hardly came as a shock -- he's been flagging up the move on Twitter for some time. But there's another saga underway that may have escaped people's notice. It involves ICANN (Internet Corporation for Assigned Names and Numbers), which runs the Internet's namespace. Back in 2015, Mike memorably described the organization as "a total freaking mess", in an article about ICANN's "war against basic privacy". Given that history, it's perhaps no surprise that ICANN is having trouble coming to terms with the GDPR. The bone of contention is the information that is collected by the world's registrars for the Whois system, run by ICANN. EPAG, a Tucows-owned registrar based in Bonn, Germany, is concerned that this personal data might fall foul of the GDPR, and thus expose it to massive fines. As it wrote in a recent blog post:
We realized that the domain name registration process, as outlined in ICANN's 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn't need, it also required us to collect and share people's information where we may not have a legal basis to do so. What's more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts [for each domain name].
All of those activities are potentially illegal under the GDPR. EPAG therefore built a new domain registration system with "consent management processes", and a data flow "aligned with the GDPR's principles". ICANN was not happy with this minimalist approach, and sought an injunction in Germany in order to "preserve Whois data" -- that is, to force EPAG to collect those administrative and technical contacts.
The GDPR is now in effect. This is an attempt (mostly good) to give people control over their personal data. Specifically, companies must ask you to opt-in to data collection, and you have the right to opt-out at any time.
Of course, too many companies are trying to abuse the situation. For example, I received several notices with an "accept" option that would opt-in to more ads, newsletters or data collection than I had before. I was particularly annoyed by the new Sonos privacy policy. It states that not opting-in to their full data collection means that your Sonos products will no longer work. Which, of course, makes no sense at all - there's no reason why a loudspeaker needs to send my music listening habits to the mothership.
This is an example of a practice called "forced consent", and is explicitly forbidden by the GDPR. Max Schrems, an Austrian attorney and privacy expert, has gone to war on exactly this kind of abuse. Just minutes after the GDPR came into effect, he filed separate complaints against Google, Facebook, Instagram, and WhatsApp - all of which have similar forced-consent policies: opt-in or you cannot use their products.
Schrem's efforts are funded through noyb.eu (none of your business), which is a crowdfunded platform and organization that works for privacy rights online.
The CJEU (Court of Justice of the European Union) issued its judgment on the Schrems II case, formally called Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/1). The gist is that US companies are now put back to an average status, same as most others, with no special access to EU data due to operating in the US. It will take a while before the decision is published at the government site. Max himself has also issued his first statement on the CJEU judgment, notably that the European Commission bowed to US pressure and that now reform of US surveillance is unavoidable:
US Surveillance reform is unavoidable - CJEU just says it out loud
The Court was clear that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The US limits most protections to "US persons", but does not protect the data of foreign customers of US companies from the NSA. As there is no way of finding out if you or your business are under surveillance, people also have no option to go to the courts. The CJEU found that this violates the 'essence' of certain EU fundamental rights.
Schrems: "The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."
(Score: 3, Interesting) by Barenflimski on Saturday September 12 2020, @07:14PM (1 child)
From the perspective of investment I think that every country should require this of these big tech companies. This would force each one of these large companies to invest in a data center local to the country in question. That would in turn create local jobs and local training. With any luck, the data center would also be able to then house other local companies and off we go...
(Score: 3, Interesting) by looorg on Saturday September 12 2020, @07:28PM
It's a growing concern among a lot of countries. It's somewhat interesting that it's Ireland tho considering that a lot of countries in Europe are, or used to be, mad at Ireland cause a lot of companies put their Euro-HQ there so they would dodge taxes in or at all their other European offices. But as Facebook and Amazon and (insert other company) continue to plop down data-centers, delivery-centers or whatever they are called all over the continent without actually paying very much in taxes the issue will rise. I guess a lot of smaller municipalities started out super happy that they where getting a data center and went all in and more or less giving land away hoping for some kind of revitalization only to later realize that next to nobody works there once it's built and they don't hardly employ many or any local people. So the boon of getting one of these places doesn't seem all that great in the end.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @11:33PM
Micks: Hey Facebook
Zuck: wot?
Micks: Stop sending personal data like name, address, potato consumption.
Zuck: OK, if you stop using my Facebook.
Micks: But want to see what friends are eating for breakfast.
Zuck: U addicted, bro.
(Score: 0) by Anonymous Coward on Sunday September 13 2020, @06:22AM
Per the money quote: “Supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”
Viewing a Facebook page is by definition transferring it. So if I view a European page out of the country, is that a violation of their expectations? The FBI, CIA, NSA or whoever could create a bot that just directly viewed Facebook pages and then created a database, etc. So unless they want to shut off access at the border, is this at best a speed bump? What is the real goal of this requirement?